{"description": "Summary: \nImageMagick is a usage of a very wide image processing program, many manufacturers are calling this a program for image processing, including image scaling, cutting, watermarking, format conversion and more. I found that when the user of the incoming one contains|is a vertical line of the filename, it is possible to trigger the command injection vulnerability.\n\nDetails: \nAuthor: niubl ([know Chong Yu 404 Safety laboratory](http://blog.knownsec.com/2016/05/imagemagick-popen-remote-command-execution-vulnerability/) ) ## A vulnerability summary ### i. Vulnerability description ImageMagick is a usage of a very wide image processing program, many manufacturers are calling this a program for image processing, including image scaling, cutting, watermarking, format conversion and more. I found that when the user of the incoming one contains|is a vertical line of the filename, it is possible to trigger the command injection vulnerability. ### ii. Vulnerability ImageMagick in processing file names when calling the OpenBlob()function, in the OpenBlob()function, The code 2484 line, to determine whether the file name is in the|vertical line at the beginning, if it is, then he will call popoen_utf8()function to handle the file name, The code as shown: ! [](http://blog.knownsec.com/wp-content/uploads/2016/05/%E5%9B%BE%E7%89%87-1.png) Came popoen_utf8()function, popen_utf8()function call will call the popen()function opens the file, thus leading to we can inject system commands, the code as shown: ! [](http://blog.knownsec.com/wp-content/uploads/2016/05/%E5%9B%BE%E7%89%87-1-1.png) ### iv. Exploit\uff08PHP\uff09 In PHP to disable the execution of system command functions, we can use him to bypass the disable_funtion, PHP write the following code: `` `` Using PHP the implementation, the results as shown: ! [](http://blog.knownsec.com/wp-content/uploads/2016/05/%E5%9B%BE%E7%89%87-1-2.png) ## Second, the related resource links * http://www.imagemagick.org/download/beta/ * http://permalink.gmane.org/gmane.comp.security.oss.general/19669\n", "edition": 1, "title": "ImageMagick popen_utf8 function command injection vulnerability", "references": [], "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://www.seebug.org/vuldb/ssvid-91705", "history": [], "published": "2016-05-30T00:00:00", "type": "seebug", "lastseen": "2016-07-25T18:29:29", "objectVersion": "1.0", "hash": "f4323e3c95a544cdb1f6dffa48d6da5a08f77dd455769bb81733d976f4ca3dce", "reporter": "Root", "modified": "2016-05-30T00:00:00", "cvelist": [], "bulletinFamily": "exploit", "id": "SSV-91705"}